|
本帖最后由 ulyanov2233 于 2025-7-6 11:24 编辑
essp扫描miss,ksn报未知,没传op卡巴扫描misshttps://opentip.kaspersky.com/01 ... /results?tab=upload已经上传op,op也miss,miss之后又拉黑了奇安信天穹抓出来的异常流量
根据异常通信流量的报告,该样本存在以下异常流量:
1. DNS查询到阿里云CDN域名(aliyuncs.com):
- 10.0.2.15:57642 -> 10.0.2.3:53
- 10.0.2.15:54853 -> 10.0.2.3:53
2. TLS会话与阿里云CDN域名(aliyuncs.com)相关的异常流量:
- 10.0.2.15:49756 -> 112.74.1.157:443
- 关联域名或链接:shi5ce.oss-cn-shenzhen.aliyuncs.com, https://shi5ce.oss-cn-shenzhen.aliyuncs.com/tad, , https://shi5ce.oss-cn-shenzhen.aliyuncs.com/s.dat,
3. 证书交换摘要:
- IP:112.74.1.157, subject:alibaba (china) technology co., ltd., issuer: globalsign nv-sa, valid from: 2025-01-03 03:21:02, valid to: 2026-02-04 03:21:01, Serial: 6a14da3653098b0e94cd6dee
- IP:112.74.1.157, subject: globalsign nv-sa, issuer: globalsign, valid from: 2024-09-18 03:14:38, valid to: 2029-03-18 00:00:00, Serial: 81e5ab98e46f35b91c2ffa178718c85a
- IP:112.74.1.157, subject: globalsign, issuer: globalsign nv-sa, valid from: 2018-09-19 00:00:00, valid to: 2028-01-28 12:00:00, Serial: 1ee5f169dff97352b6465d66a
4. 异常HTTP请求:
- GET http://ocsp.globalsign.com/rootr ... xad%2F5c1K2Rl1mo%3D
- GET http://ocsp2.globalsign.com/root ... Y5G81uRwv%2BheHGMha
- GET http://ocsp.globalsign.com/gsgcc ... jZTCYsOlM1t7g%3D%3D
5. 异常流量会话类型为Malformed(畸形流量):
- 源IP为112.74.1.157:443,目的IP为10.0.2.15:49756
- 源IP为112.74.1.157,目的IP为10.0.2.15
这些异常流量表明样本存在可疑的网络通信行为,可能用于数据窃取、命令与控制(C&C)通信或其他恶意活动。
|
|